Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[cilium] ExternalName Service Causes Unintended External Traffic #716

Open
kahirokunn opened this issue Apr 26, 2024 · 10 comments
Open

[cilium] ExternalName Service Causes Unintended External Traffic #716

kahirokunn opened this issue Apr 26, 2024 · 10 comments
Labels
imp/cilium lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale.

Comments

@kahirokunn
Copy link
Member

Issue: ExternalName Service Causes Unintended External Traffic in helloworld-go Sample

Version Affected: 1.14.0

Description:
After applying the helloworld-go sample provided in the latest release (version 1.14.0) of Knative Serving, an ExternalName service was generated as described below. This service setup leads to internal application requests being routed externally via the NAT Gateway, instead of being contained within the cluster. This behavior might not be intended as it causes cluster-internal communications to be sent over the internet.

Generated Service YAML:

apiVersion: v1
kind: Service
metadata:
  annotations:
    serving.knative.dev/creator: system:admin
    serving.knative.dev/lastModifier: system:admin
  creationTimestamp: "2024-04-25T07:51:10Z"
  labels:
    serving.knative.dev/route: helloworld-go
    serving.knative.dev/service: helloworld-go
  name: helloworld-go
  namespace: default
  ownerReferences:
  - apiVersion: serving.knative.dev/v1
    blockOwnerDeletion: true
    controller: true
    kind: Route
    name: helloworld-go
    uid: d4bd7725-d0ec-4c60-9e1d-5fc0a9f0e4e5
  resourceVersion: "1883"
  uid: 8321e1c1-5850-4dfb-b78b-687d717a9083
spec:
  externalName: helloworld-go.default.example.com
  ports:
  - appProtocol: kubernetes.io/h2c
    name: http2
    port: 80
    protocol: TCP
    targetPort: 80
  sessionAffinity: None
  type: ExternalName
status:
  loadBalancer: {}

Expected Behavior:
Internal requests to the service should remain within the cluster, avoiding unnecessary use of external network resources.

Actual Behavior:
Traffic intended for internal services is routed externally, causing potential latency and cost implications.

Steps to Reproduce:

  1. Deploy the helloworld-go sample from Knative Serving 1.14.0.
  2. Observe the routing behavior of requests to the helloworld-go service.
@dprotaso
Copy link
Contributor

The externalName: helloworld-go.default.example.com is a temporary placeholder until the underlying networking layer provides an alternate hostname or IP.

Are you not seeing the service being updated with the cluster local host or cluster ip?

@dprotaso
Copy link
Contributor

dprotaso commented Jun 3, 2024

@kahirokunn just following up here

@kahirokunn
Copy link
Member Author

This also occurred when using Cilium's GatewayAPI.
We have not had time to re-verify this one.
I will share the results and the scripts etc. I used when I tested it next time!
thx 🙏

@dprotaso
Copy link
Contributor

dprotaso commented Jun 4, 2024

We don't test with Cillium - so it's probably specific to that implementation.

@kahirokunn
Copy link
Member Author

kahirokunn commented Jun 7, 2024
edited
Loading

I understand.
Please let me share any more information when I get it.
Thx

@dprotaso dprotaso changed the title ExternalName Service Causes Unintended External Traffic [cilium] ExternalName Service Causes Unintended External Traffic Jun 21, 2024
@CheyenneForbes
Copy link

@dprotaso for me with cilium, my test deployment's generated ExternalName service stay as externalName: http-bin.thenamespace.svc.cluster.local

@github-actions GitHub Actions
Copy link
Contributor

This issue is stale because it has been open for 90 days with no
activity. It will automatically close after 30 more days of
inactivity. Reopen the issue with /reopen. Mark the issue as
fresh by adding the comment /remove-lifecycle stale.

@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Sep 25, 2024
@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale Oct 25, 2024
@kahirokunn
Copy link
Member Author

/reopen

@knative-prow Knative Prow
Copy link

knative-prow bot commented Oct 25, 2024

@kahirokunn: Reopened this issue.

In response to this:

/reopen

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@knative-prow knative-prow bot reopened this Oct 25, 2024
@github-actions github-actions bot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Oct 26, 2024
@github-actions GitHub Actions
Copy link
Contributor

This issue is stale because it has been open for 90 days with no
activity. It will automatically close after 30 more days of
inactivity. Reopen the issue with /reopen. Mark the issue as
fresh by adding the comment /remove-lifecycle stale.

@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jan 24, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
imp/cilium lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dprotaso @CheyenneForbes @kahirokunn